User Tools

Site Tools


linux:admin

Linux Admin

Fix Old CentOS Repos

Maintainece update not supported from 2020/11/30 ⇒ you must config repos to new mirror for Fixing yum error:

yum list
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Determining fastest mirrors
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
 Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt

Steps:

  1. Step1: Update /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
baseurl=http://vault.centos.org/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
baseurl=http://vault.centos.org/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib&infra=$infra
baseurl=http://vault.centos.org/6.10/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
  1. Step2:
    yum clean all

Install software

Install rpm package

mount /dev/cdrom /mnt/cdrom/
cd /mnt/cdrom/CentOS
rpm -i mc-4.6.1a-35.el5.i386.rpm

Manage packages with yum - Yellowdog Updater Modified

It can automatically perform system updates, including dependancy analysis and obsolete processing based on “repository” metadata. It can also perform installation of new packages, removal of old packages and perform queries on the installed and/or available packages among many other commands/services (see below). yum is similar to other high level package managers like apt-get and smart.

  • yum grouplist
    => 
    Installed Groups:
       DNS Name Server
       Dialup Networking Support
       Editors
       FTP Server
       .......
    Available Groups:
       Administration Tools
       Authoring and Publishing
       Base
       Beagle
       Cluster Storage
       Clustering
       Development Libraries
       Development Tools
  • yum groupinfo
    yum groupinfo "Development Libraries"
  • How to install gcc:
    # yum list | grep gcc
    => output:
    gcc.i386                                 4.1.2-44.el5                  base
    libgcc.i386                              4.1.2-44.el5                  base
    compat-gcc-34.i386                       3.4.6-4                       base
    .......			
    # yum install gcc.i386
  • check package installed or available:
      yum list | grep postfix
      postfix.x86_64                           2:2.6.6-6.el6_5                @updates
      postfix-perl-scripts.x86_64              2:2.6.6-6.el6_5                updates
      # @updates => Installed
      # update => Available
  • yum info php-mysql
    Loading mirror speeds from cached hostfile
    * base: mirrors.digipower.vn
    * elrepo: ftp.osuosl.org
    * extras: mirrors.digipower.vn
    * updates: mirrors.digipower.vn
    Installed Packages
    Name        : php-mysql

Manage Packages with Apt

apt-cache - performs a variety of operations on APT's package cache. apt-cache does not manipulate the state of the system but does provide operations to search and generate interesting output from the package metadata.

dpkg - package manager for Debian

upgrades all installed packages

apt-get upgrade

Search Packages:

  • Find packages that include <search_term>
    apt-cache search <search_term>

    For example:

    dpkg -l *chkconfig*

    output:

    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name                                 Version                 Architecture            Description
    +++-====================================-=======================-=======================-=============================================================================
    un  chkconfig                            <none>                  <none>                  (no description available)
  • Find packages whose names contain <search_term>. Similar to apt-cache search, but also shows whether a package is installed on your system by marking it with ii (installed) and un (not installed).
    dpkg -l *<search_term>*
  • Shows the description of package <package_name> and other relevant information including version, size, dependencies and conflicts
    apt-cache show <package_name>
  • Shows the description of package
    dpkg --print-avail <package_name>
  • List files in package <package_name>
    dpkg -L <package_name>

Admin User and Group

Admin user

  • Add user normal
    useradd anhvc
  • Set password for user anhvc
    passwd anhvc
  • Remove normal user:
    userdel anhvc
  • Remove user and home directory itself and the user´s mail spool.
    userdel -r anhvc
  • Add System User:
    #Create User and not create Home Directory
    useradd -M dovecot
    #Lock User not allow login
    usermod -L dovecot

Admin group

  • Change name of group
    groupmod -n accounting accountant
  • Print all groups which user is in
    groups root

    output:

    root : root bin daemon sys adm disk wheel
  • Get All users in group
    lid -g <groupname>

Modify Group of user

  • Add user anhvc with group ztbackup
    useradd anhvc -g ztbackup
  • Add an Existing User to a Group
    usermod -a -G <groupname> username
  • Change a User’s Primary Group
    usermod -g <groupname> username
  • Add a User to Multiple Groups:
    usermod -a -G ftp,admins,othergroup <username>
  • Remove User in Group
    gpasswd -d <username> <groupname>

Chown

  • Change the ownership of the file to the group “accounting”:
    chown :accounting filename
  • Command format:
    chown user:group filename

Passwd file

refer: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html

cat /etc/passwd | grep ftp

output:

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
(username:ftp
userid:14
group:50 => ftp
Real name: FTP User
home directory: /var/ftp
Shell: /sbin/nologin
)	

Information of user profile

cat ~/.bash_profile
cat ~/.bashrc => login profile for user
cat ~/.bash_history => history commands of user

sudo config

  • Prepare for writing /etc/sudoers
    chmod +w /etc/sudoers
  • Add user to run sudo as root add below line to /etc/sudoers:
    anhvc    ALL=(ALL)     NOPASSWD: ALL

    ⇒ Allow user anhvc run sudo with no password. And below is config allow user anhvc sudo with password:

    anhvc    ALL=(ALL)  ALL
  • Remove below config to allow run sudo command not require tty
    #Defaults requiretty
  • Remove property write:
    chmod -w /etc/sudoers

umask

umask(The user file-creation mode mask) is use to determine the file permission for newly created files

  • normal user: The default umask 0002 ⇒ output:
    • default directory permissions are 775(rwxrwxr-x)
    • and default file permissions are 664(rw-rw-r–)
  • root user: The default umask is 0022 result ⇒ output:
    • default directory permissions are 755 (rwxr-xr-x). How to calculate directory permission for 022 umaks (root user):
            Default Permissions: 777
            Subtract umask value: 022 (-)
            Allowed Permissions: 755
    • and default file permissions are 644 (rw-r–r–). How to calculate file permission for 022 umaks (root user):
            Default Permissions: 666
            Subtract umask value: 022 (-)
            Allowed Permissions: 644
  • How to restore default mod when we chmod entire the directory with another mod? We only copy the file/directory to new file/directory → The mod will be automatic create base on the umask config

System startup and shutdown

System startup config

OS startup config files

+ /etc/inittab
id:3:initdefault:
=> id:runlevels:action:command
+ /etc/rc.local
=> startup script when linux start

Understand run-level scripts in config files

Understanding run-level scripts:A software package that has a service to start at boot time (or when the system changes run levels)

  • Can add a script to the /etc/init.d directory. That script can then be linked to an appropriate run-level directory and either be started or stopped (to start or stop the service).
    • step1: create my_daemon and copy to /etc/init.d. Below is format of my_daemon:
      # chkconfig: 345 82 28
      # description: Does something pretty cool - you really
      #    have to see it to believe it!
      # processname: my_daemon
    • step2: run script:
      chkconfig --add my_daemon
  • All of the programs within the /etc/rcX.d directories (where X is replaced by a run-level number) are symbolic links, usually to a file in /etc/init.d.
  • For each run level, a script beginning with K stops the service, whereas a script beginning with S starts the service.

Managing xinetd services

There are a bunch of services, particularly Internet services, that are not handled by separate run-level scripts. Instead, a single run-level script called xinetd 1) is run to handle incoming requests for these services ⇒ xinetd is sometimes referred to as the super-server.Below is script start,stop:

/etc/inid.d/xinetd

Manage services in linux

  • Start httpd service:
    service httpd start
  • Stop httpd service:
    service httpd stop
  • Config autostart httpd when OS boot:
    chkconfig httpd on

    And in debian:

    update-rc.d httpd enable
  • Get all services running
    service --status-all | grep running

    output:

    acpid (pid 3039) is running...
    atd (pid 3318) is running...
    auditd (pid 2690) is running...
    automount (pid 3015) is running...
    Avahi daemon is running
    Avahi DNS daemon is not running
    hcid (pid 2892) is running...
    sdpd (pid 2896) is running...
    capi not installed - No such file or directory (2)
    crond (pid 3289) is running...
    cupsd (pid 3072) is running...
    .............................

Host and network config

Change hostname

  • Redhat / CentOS / Fedora: Edit /etc/sysconfig/network
    hostname="GWServer01-YN01"

    And run below script to save active hostname:

    hostname GWServer01-YN01
    /etc/sysconfig/network
  • Debian / Ubuntu: Edit /etc/hostname file, enter new hostname:
    GWServer01-YN01

    And run script below to change live hostname:

    hostname GWServer01-YN01

Edit login banner

telnet session

/etc/issue.net /etc/issue

ssh session

/etc/ssh/sshd_config

Network config

  • Redhat: Edit /etc/sysconfig/network-scripts/ifcfg-eth0:
    DEVICE=eth0
    ONBOOT=yes
    BOOTPROTO=static
    IPADDR=120.138.64.2
    NETMASK=255.255.255.192
    HWADDR=00:1A:64:56:12:10
    GATEWAY=120.138.64.1

    And run command below to active config:

    /sbin/service network restart
  • [debian/ubuntu]:Edit /etc/network/interfaces
    auto eth0
    iface eth0 inet static
    address 123.30.133.150
    gateway 123.30.133.129
    netmask 255.255.255.128
    network 123.30.133.128#custom
    broadcast 123.30.133.255#custom

    And run command below to active config:

    /etc/init.d/networking restart

Check network card

/sbin/ifconfig -a
/sbin/arp -a

Check hardware network

sudo /usr/sbin/dmidecode -t
sudo /usr/sbin/dmidecode -t baseboard

output:

Handle 0x002B, DMI type 10, 6 bytes
On Board Device Information
        Type: Ethernet
        Status: Enabled
        Description: Onboard Ethernet
Handle 0x006A, DMI type 41, 11 bytes
Onboard Device
        Reference Designation:  Onboard LAN
        Type: Ethernet
        Status: Enabled
        Type Instance: 1
        Bus Address: 0000:00:19.0

Config Route

Static route

  • Redhat
    route add -net 10.60.3.0/24 gw 10.30.41.1
    route add -net 192.168.2.0/24 gw 192.168.2.2
    route add default gw 120.138.64.1
  • Debian
    up route add -net 10.60.3.0/24 gw 10.30.41.1 dev eth1
    up route add -net 192.168.2.0/24 gw 192.168.2.2 dev eth1

Dynamic route

  • Redhat: update route in /etc/sysconfig/network-scripts/route-eth1
    cat > /etc/sysconfig/network-scripts/route-eth1
    10.199.44.0/24 via 10.30.31.1
    10.199.51.5/32 via 10.30.31.1
    10.199.3.0/24 via 10.30.31.1
    10.199.50.213/32 via 10.30.31.1
    10.30.4.0/27 via 10.30.31.1
    118.102.5.136/32 via 10.30.31.1
    192.168.64.0/24 via 10.30.31.1
    10.30.4.9/32 via 10.30.31.1

    Or run script below to add route:

    echo '10.30.15.16/32 via 10.30.31.1' >> /etc/sysconfig/network-scripts/route-eth1
    route add -host 10.30.15.16 gw 10.30.31.1

    And active configure:

    /sbin/service network restart
  • Debian: Edit /etc/network/interfaces
    up route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11
    down route del -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11

    And active configure:

    /etc/init.d/networking restart

DNS

[/etc/resolv.conf]

nameserver 202.96.209.5

DHCP server

  • config: /etc/dhcp.conf
  • client: go dhclient ⇒ get dynamic IP

Security

Iptables

start,stop iptables

service iptables start
service iptables stop
service iptables restart
service iptables status
chkconfig --level 345 iptables on
chkconfig --list iptables

Iptable config

  • /etc/sysconfig/iptables
  • Create simle iptable which open ssh, http and ICMP:
    *filter
    :INPUT ACCEPT [396:30624]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [216:23216]
    -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    #eth0 INPUT here
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -i eth0 -p icmp -j ACCEPT
    -A INPUT -i eth0 -j DROP
    #eth1 INPUT here
    -A INPUT -i eth1 -p icmp -j ACCEPT
    -A INPUT -i eth1 -j DROP
    COMMIT

log system: messages,secure,cron

syslogd, klogd

These daemons provide centralized logging in linux.

  • The configuration file: /etc/syslog.conf
  • script controls: /etc/rc.d/init.d/syslog

/var/log

  • /var/log/dmesg: This log file is written upon system boot. It contains messages from the kernel that were raised during the boot process. You can also view them using the command:
        #dmesg
        
  • /var/log/messages: This is the standard system log file, which contains messages from all your system software, non-kernel boot issues, and messages that go to 'dmesg'.
  • /var/log/maillog: This log file contains messages and errors from your sendmail.
  • /var/log/secure: This log file contains messages and errors from security related systems such as login, tcp_wrappers, and xinetd. This log file is very useful in detecting and investigating network abuse.

Scheduling System Tasks

Check log all crontabs on linux system:

cat /var/log/cron

Scheduling System Tasks with at

/etc/at.deny
echo "/sbin/init 0" | at now +1 minutes

atq
job 12 at 2009-08-17 20:06

Scheduling System Tasks with crond(crontab)

to sheduleing with crond, the crond was configured auto-restart when linux start:

chkconfig crond on

Availabe System Crontabs

All available crontabs:

crontab
cron.deny
cron.hourly
cron.daily
cron.weekly
cron.monthly
cron.d

basic contab commands

  • crontab -e: create or edit crontab configuration file
  • crontab -l: display content of crontab configuration file
  • crontab -r: delete crontab configuration file

crontab configuration file base on linux user

  • cat /var/spool/cron/root
    */30 * * * * /usr/sbin/ntpdate  pool.ntp.org
    */5 * * * * /usr/local/bin/iostat.sh
    14 2 * * * /etc/webmin/cron/tempdelete.pl
    30 4 * * 1 /root/scripts/kpiweekly.sh >> /var/log/kpiweekly.log
    0 5 1 * * /root/scripts/kpimonthly.sh >> /var/log/kpimonthly.log
  • structure of crontab
    minute(s) hour(s) day(s) month(s) weekday(s) command(s)
       *     *     *     *     *     command to be executed
       -     -     -     -     -
       |     |     |     |     |
       |     |     |     |     +----- day of week (0 - 6) (Sunday=0)
       |     |     |     +------- month (1 - 12)
       |     |     +--------- day of month (1 - 31)
       |     +----------- hour (0 - 23)
       +------------- min (0 - 59)		
    25 18 * * * /etc/webmin/cron/tempdelete.pl

Create 1 simple crontab

create crontab for user anhvc to backup file /home/anhvc/data.txt at 21h45 every day

  • step1: create scrip backup
    #!/bin/sh
    file_name=`date +%H%M%S_%d%m%y`			
    cp data.txt $file_name.txt
  • step2: Create crontab configuration file
    crontab -e
    45 21 * * * /home/anhvc/backupdata.sh
  • step3: restart crontab service
    sudo /etc/init.d/crond restart
  • step4: check content of crontab configuration file
    crontab -l  => 45 21 * * * /home/anhvc/backupdata.sh
  • step5: check output of contab
    ls /home/anhvc 
    => 214501_170809.txt

Create contab to update date/time of system

  1. Step1: Install ntpdate
    yum install ntpdate
  2. Step2: Create contab content:
    */30 * * * * /usr/sbin/ntpdate  pool.ntp.org

logrotate

Config run logrotate everydays in crond

logrotate was run everydays with crond default config /etc/cron.daily/logrotate below:

#!/bin/sh
 
/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

Config logrotate for apache logs

in /etc/logrotate.d/httpd

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
}

⇒ we can chage the directory which contain log files /var/log/httpd/*log

Config logrotate for nginx logs

refer: http://article.gmane.org/gmane.comp.web.nginx.english/586

  1. Step1: Config ngix create pid file in conf/nginx.conf:
    worker_processes  1;
    
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    
    pid        /var/run/nginx.pid;
  2. Step2: Restart nginx and check content of /var/log/nginx.pid. If OK, go to next step
  3. Step3: create logrotate config for nginx /etc/logrotate.d/nginx with content below:
    /usr/local/nginx/logs/*log {
        #rotate the logfile(s) daily
        daily
        # adds extension like YYYYMMDD instead of simply adding a number
        dateext
        # If log file is missing, go on to next one without issuing an error msg
        missingok
        # Save logfiles for the last 52 days
        rotate 52
        # Old versions of log files are compressed with gzip
        compress
        # Postpone compression of the previous log file to the next rotation cycle
        delaycompress
        # Do not rotate the log if it is empty
        notifempty
        # create mode owner group
        create 640 root nobody
        sharedscripts
        #after logfile is rotated and nginx.pid exists, send the USR1 signal
        postrotate
            [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
        endscript
    }

    root:nobody(user: root, group: nobody) permissions might need further revision in your own system, as well as the logs and pid file location

  4. Step4: run to check nginx logrotate config
    logrotate --force /etc/logrotate.d/nginx

Optimize OS parameters(sysctl)

dynamic config(will restore when OS restart)

  • run some basic dynamic config
    ulimit -n 102400
    ulimit -c 1024000
    echo 1073741824 >/proc/sys/kernel/shmmax
    echo 200000 260000 300000 > /proc/sys/net/ipv4/tcp_mem
  • check config:
    ulimit -a

    ⇒ output:

    core file size          (blocks, -c) 0
    data seg size           (kbytes, -d) unlimited
    scheduling priority             (-e) 0
    file size               (blocks, -f) unlimited
    pending signals                 (-i) 256651
    max locked memory       (kbytes, -l) 64
    max memory size         (kbytes, -m) unlimited
    open files                      (-n) 1024
    pipe size            (512 bytes, -p) 8
    POSIX message queues     (bytes, -q) 819200
    real-time priority              (-r) 0
    stack size              (kbytes, -s) 10240
    cpu time               (seconds, -t) unlimited
    max user processes              (-u) 1024
    virtual memory          (kbytes, -v) unlimited
    file locks                      (-x) unlimited

Increase number open files /etc/sysctl.conf

Check number open files

  • Method1:
    cat /proc/sys/fs/file-nr

    ⇒output:

    960     0       65536

    ⇒ 960 files is opened and fs.file-max = 65536

  • Method2: Check sysctl
    sysctl -a | grep file-max

    output:

    fs.file-max = 65536

Steps to config max number open files:

  1. Step1: Edit config in /etc/sysctl.conf to increase max number of ulimit open file in Linux
    fs.file-max = 65536
  2. Step2: add config into /etc/security/limits.conf
    *          soft     nproc          65535
    *          hard     nproc          65535
    *          soft     nofile         65535
    *          hard     nofile         65535
  3. Step3: reboot
  4. Step4: recheck after config:
    ulimit -n

    output:

    65535

Check config

ulimit -a
sysctl -a => Display all values currently available.
sysctl kernel => for kernel
sysctl fs => for file system
sysctl net => for net system
1)
formerly inetd
linux/admin.txt · Last modified: 2022/10/29 16:15 by 127.0.0.1